The Issue

v.1.7.3.3 was found to be affected by two authenticated (admin, editor or author user) blind SQL injection vulnerabilities within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters were not sufficiently sanitised before being used within a SQL query.

The Answer

WooCommerce by WooThemes

Within a couple of days of the Yoast security issue, a security vulnerability was also found in the WooCommerce plugin v.2.3.5 and older versions, discovered by Matt Barry, from Wordfence.

The WooCommerce team reacted quickly and issued an update with a security fix.

The Issue

A SQL injection vulnerability was found in the admin panel. Within the Tax Settings page of WooCommerce, the key of the 'tax_rate_country' POST parameter is passed unescaped into a SQL insert statement. For example, a payload of tax_rate_country[(SELECT SLEEP(10))] would cause the MySQL server to sleep for 10 seconds. Because this vulnerability requires either a Shop Manager or Admin user account, it would need to be combined with an XSS attack in order to be exploited.

The Answer

Update to v.2.3.6 immediately.

Addendum

#1 On April 20, 2015Sucuri published a list of other plugins that were also vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions.

Sucuri went on to say "there are probably more plugins that have not yet been found that have the same problem [they've only looked into the top 300 - 400 and others that were notable]".

add_query_arg() and remove_query_arg() are relatively common functions in advanced WordPress development so in all likelihood, many more plugins than those listed above are likely to have similar vulnerabilities.

Trustmarks are the logos that many eCommerce web shops place on their sites to show that they have passed security and privacy tests to reassure customers that it is safe to shop on their site BUT can all trustmarks be trusted?

WordPress, used by millions to host their websites and blogs has suffered from highly distributed, global, brute-force attacks in the past. More than 117,000 WordPress blogs were attacked and affected in 2012. That number grows each year.

In the old days, anyone could design and code a website. Over the years web design has changed dramatically. As the internet has evolved, web design has evolved in tandem and now when it comes to building a site you need a professional web designer.

The EU law which applies to how your website uses cookies (e.g. if you are using Google analytics) and similar technologies for storing information on a user's equipment such as their computer or mobile device changed on 26 May 2011.